Skip to content
Latchkey

aws iam create-role: Create an IAM Role for CI

Create an IAM role, including the OIDC trust policy GitHub Actions assumes.

aws iam create-role creates a role defined by a trust policy (--assume-role-policy-document). For modern CI, that trust policy authorizes GitHub's OIDC provider to assume the role - so workflows get short-lived credentials with no static keys. Permissions are then attached separately.

Common flags

  • --role-name - the role name (required)
  • --assume-role-policy-document file://trust.json - the trust policy (required)
  • --description - a human-readable description
  • --max-session-duration - max assumed-session length in seconds
  • --permissions-boundary - cap the role's effective permissions

Example in CI

Create a role whose trust policy allows GitHub OIDC.

shell
aws iam create-role --role-name github-deploy --assume-role-policy-document file://github-oidc-trust.json

Common errors in CI

  • An error occurred (EntityAlreadyExists) - a role with that name already exists
  • MalformedPolicyDocument - trust JSON invalid or missing the OIDC Condition
  • An error occurred (AccessDenied) - principal lacks iam:CreateRole
  • OIDC AssumeRole fails later - sub/aud Condition does not match the repo/branch

Key takeaways

  • The trust policy (--assume-role-policy-document) controls who can assume the role.
  • For GitHub Actions, trust the token.actions OIDC provider, scoped by sub to repo/branch.
  • create-role sets trust only; attach permission policies separately.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →